How to always remember our passwords

Mladen Bukejlovic Categories: Front-end development Date 31-May-2018 6 minutes to read
How To Always Remember Our Passwords

Table of contents

    forgot-password.jpg

    Most of us, at least once, experienced a situation where we forget an important password for one of many websites we visit occasionally. This is inconvenient, at least, but sometimes can be even painful, depending on the importance of the account we're trying to log into.

    There are several approaches that could help us not to forget our passwords and we'll try to briefly describe those here.

    Using the same password everywhere

    One thing that probably comes to our minds is to use the same, strong, password on all the web sites we visit. This, of course, is not really secure and there are known examples of celebrities which got hacked this way. It might be the easiest way, but if someone gets a hold on our password (for example, just by looking over our shoulder, while we're typing it), they could exploit it on any web site where they assume we have an account.

    xkcd2.jpg

    So, please, don't use this approach. It's proven to be wrong and easily exploited.

    W3!rd-100k!ng p455w0rd5 (weird-looking passwords)

    Replacing regular letters with numbers and special characters, to make the guessing of our passwords more complicated, can appear to be more secure, but it's easy to mathematically prove this is not quite true. That way the entropy of our passwords does increase a little bit, making things a bit more complicated for hackers, but, more importantly, it also complicates things for us, to remember it. It's quite easy to get into a situation where we can't remember if we switched the letter 'i' with a number 'one', or was it a letter 'L', well, you get the point.

    Using long passwords

    This approach complicates the process of guessing our passwords a lot, considering that the number of possible variations rises exponentially with each new letter added to the password. For example, if we use only lower letters of the English alphabet (26 characters), a password of 4 characters has 264=456976 possible variations to be tried. If we use a 5-letter password, the number of variations rises to 265=11881376. So, it's pretty difficult to guess a long password, especially if we use a bigger alphabet (different letter casings, plus numbers and special symbols), to have more than 26 characters as a base. Now, the obvious question is how can we easily remember long passwords?

    Singing our passwords

    singer.jpg

    One cool approach is to pick a song we like, and while humming the favorite part of the song, we can pick every first (or every second/third) letter from it and write it down. For example, I've used a song from Guns 'n' Roses named "Sweet child of mine", which has a verse like "She's got eyes of the bluest skies as if they thought of rain". If we take every first letter of that verse, we'll get something like "sgeotbsaittor". Now, that's some password that's easy to remember, but very difficult to guess, because it's not a common word, so dictionary-based attacks are useless against it. And if someone is peeking over our shoulder, while we are typing our password, it's highly likely they wouldn't remember any of it, because it simply doesn't look like anything meaningful. Not to mention that we can easily increase the length as much as we like or as long as we have fun singing it in our heads :)

    Remembering a pattern instead of a password

    It would be very convenient if we could reduce all our passwords into one thing, to make it easy for us to remember it. On the other hand, it would be more secure to keep all our passwords different, to make it difficult for the potential attackers to guess. That's where the password pattern comes to the rescue. If we only remember a pattern, or a strategy, which helps us create a concrete password, we could remember that one thing and apply it to all our passwords easily.

    xkcd.png

    For example, let's imagine our strategy looks like this: Let's take numbers "12345", then add the web site name to it (with the first character uppercased) and then let's add some more characters, just to make the password longer. For example, let's add our country name or a pet name, followed by some special characters like dots, exclamation marks, commas, etc. That way we could have our Facebook password set to something like "12345Facebook.,!Buddy". Our Twitter password would be similar "12345Twitter,.!Buddy" and our Pinterest password would be "12345Pinterest.,!Buddy". These kind of passwords look strong enough, for sure.

    The problem with this approach is if the attackers succeed to retrieve any of our passwords, they might figure out our password pattern, so it won't be too hard for them to apply it the same way to all the web sites we use. That means that our password pattern needs to be difficult to be reverse engineered out from a single password. With that in mind, we have to get rid of the obvious web site name in our password and replace it with some related word. For example, we could use some sort of letters juggling, like 'Facebook' → 'Gbdfcppl' (switching each letter with its alphabetic successor: f→g, a→b, c→d, etc). But this is quite difficult to type and fairly easy to reverse engineer, so it's not really worth the effort. It's just being displayed here as an example of simple juggling of letters.

    The more efficient approach is to personalize that mapping, so that it's not that easy to reverse engineer the mapping we used. For example, instead of using the word 'Facebook', we could use a word that comes to our mind as first, when we think of the word 'Facebook', like 'Zuckerberg' (the name of the founder). For the word 'Twitter', we could use 'Nightingale', etc. The idea is to have our own personalized way of mapping the web site names, to make things complicated to attackers. This way our passwords for Facebook, Twitter and Pinterest could be: "12345Zuckerberg.,!Buddy", "12345Nightingale,.!Buddy" and "12345Gallery.,!Buddy".

    We could even use a different pet name for each web site. We only need to remember which pet relates to which web site :) But the attacker would have no way of easily guessing the exact pet's name for a desired web site, even if they know one of our passwords. The idea is to make this password strategy personalized to ourselves, so that the attackers can't reverse engineer our strategy, even if they know one of our passwords somehow.

    Combining the stuff together

    To make things even more difficult for the attackers, we could try and combine some of these approaches that we discussed so far. For example, let's combine singing of our passwords and password pattern. For Facebook, we would have something like this "sgeotbsaittor12345Zuckerberg.,!Buddy". That kind of a password is fairly difficult to remember for anyone who is peeking over our shoulder and it's quite easy for us to remember it. The entropy of such a password is so high that it's practically not feasible to perform a brute force attack on it (trying each possible combination of characters). There are also some other great techniques for remembering our passwords and we can always combine several approaches to get even stronger passwords, but we should keep in mind whatever we come up with, it needs to be easy to remember.

    Also, whenever possible, consider using a 2-factor authentication because it increases the security of our accounts a lot, even in the case of weak passwords.

    Conclusion

    In order to create strong passwords, we need to: make them long, mix letter casing, use numbers and special characters, avoid using dictionary words, never reuse same password, etc. Combining that requirement with the fact that we need to actually remember our passwords is quite challenging.

    password-complexity.png

    The approaches, discussed in this article, were meant to inspire you to come up with something personalized to yourself and I honestly hope the article managed to achieve that. The more you make your password strategies personal and specific to the things only you know about, the more difficult it will be for attackers to guess it.

    If you have some ideas how to craft even stronger passwords more easily, I'd really like to hear those ideas, so please share them in the comments. Thanks!

    mladen-bukejlovic-_authorsphoto.png
    Mladen Bukejlovic Software Developer

    Mladen likes to consider himself as a problem solver, rather than a software developer. He's always looking for an interesting problem to solve, no matter which realm it comes from. He believes that solutions for problems from one realm can usually be adapted and applied to problems from a completely different one, which, as a result, helps to grow the overall experience of a person a lot faster.